Many of us have long waited for a tool that would allow incident responders to grab the contents of RAM from a live Mac. While access to memory was possible using acquisition methods such as the Cold Boot attack, by exploiting the Firewire interface which provides DMA (Direct Memory Access) or, under some circumstances, grabbing the file called sleepimage (OS X counterpart of hiberfil.sys), the forensic community lacked tools that could sample the state of a Mac's physical memory in the same way that win32dd, mdd, winen or memoryze can do on a Windows machine.

Lucky for us Cyber Marshal released last week Mac Memory Reader, a command line utility that runs directly on the target Mac and that can be downloaded for free. The tool generates a dump file in Apple's Mach-O format containing the offsets and lengths of each available segment of physical RAM (ignoring memory ports or memory-mapped I/O devices) with output to a USB device or any other mounted volume like an NFS share.

According to Cyber Marshal Mac Memory Reader executes directly on 32-bit and 64-bit target machines running Mac OS X 10.4, 10.5, or 10.6 and requires a PowerPC G4 or newer, or any Intel processor. All the commands and examples that I include in this post have been tested on my Macbook Pro and iMac both running Snow Leopard (10.6) on Intel based processors. It's been reported though that it doesn't work on all systems so if you get different results it would be interesting to know.

Memory Acquisition

Usage is really simple. Open a terminal, change into the MacMemoryReader directory and execute:

($) sudo ./MacMemoryReader -v -H SHA-256 memory.img

The —v switch will show progress on the memory dump process and additional debugging information like available memory ranges. When the dump is completed the hash of the output file will be shown. You can compute additional hashes on the fly if needed, adding ?-H hashtype' arguments where hashtype can be MD5, SHA-1, SHA-256 or SHA-512.

Don't forget that, in order to use this tool to collect the contents of RAM, it must be loaded into memory as a running process, consuming memory space and therefore leaving a "digital footprint" (remember Locard's?). It will also produce an output file that is slightly larger than the system's physical memory due to the Mach-O header. This header lists all the segments of memory contained in the file, followed by the memory segments themselves, preserving offset information. If you're given one of these snapshots, you can use the otool command to list the physical memory segments captured in the file:

($) otool -l memory.img

memory.img:

Load command 0

cmd LC_SEGMENT_64

cmdsize 152

segname __TEXT

vmaddr 0x0000000000000000

vmsize 0x000000000008f000

fileoff 8192

filesize 585728

maxprot 0x00000001

initprot 0x00000001

nsects 1

flags 0x0

...

Only if the target system is using virtualization technology, the memory dump will be slightly smaller than the full size of the system's RAM as the hypervisor reserves some memory for itself. In this case, the snapshot obtained with MacMemoryReader will include the RAM used by the guest virtual machines.

Memory Analysis

Ok, so we have a memory dump containing volatile data that might be extremely valuable for our forensic investigation. However, collecting, parsing and analyzing the entire contents of physical memory in Mac OS is still a new field even today, and while some researchers like Matthieu Suiche have published some work on the subject, the truth is that Mac tools are about where Windows tools were about years ago.

However, performing an offline analysis with good old data search and extraction tools is relatively simple. At the end, Mach-O files are (aside from the header) raw data files that respond well to Hex Editors, strings, grep and data carvers like Foremost and the like.

In example, I used strings and the following grep expression to search for File Vault passwords that can be found in clear text in the memory image:

($) strings - memory.img | grep -A 4 -i longname...

—

longname

Ismael_Valenzuela

managedUser

password

MyP@ssw0rd

—...

Here we look for text after "longname" to locate user names and actual passwords in plain text. Be aware that strings treats Mach-O files specially and only examines part of the file by default, hence the need to use ?-? to force it to examine the whole file. In any case, whether you run a grep search using single keywords or a dirty word list using a plain text file and the -f switch, focus on keywords that can reduce the results to a manageable amount.

In Part 2 we will continue our analysis on the Mac's memory dump. Stay tuned!

Ismael Valenzuela (CISSP, CISM, GCFA, GCIA, GPEN, GWAPT, GCWN, 27001 Lead Auditor & ITIL Certified) is a Community SANS Instructor and Global IT Security Manager for iSOFT Group Ltd., one of the world's largest providers of healthcare IT solutions. Since he founded one of the first IT Security consultancies in Spain, Ismael Valenzuela has participated as a security professional in numerous international projects across EMEA, India and Australia in the last 10 years. Ismael has also authored several articles that are freely available at http://blog.ismaelvalenzuela.com / Mr. Valenzuela can be followed on twitter at @aboutsecurity.

Leland

Ismael Valenzuela

@Magnus, thanks for your comments.@Leland, are you executing MacMemoryReader with the "-v" switch? If so, what is the output? Someone else have reported of it not working on 10.5.8, so not sure whether this is a bug in the tool or something else. It might be worth reporting it to ATC-NY here http://macmarshal.atc-nycorp.com/index.php/contact/supportThanks for your feedbackIsmael

carvilsi

Great post.Than You. :DStill working on Mac OS X 10.6.8 The -v param is not valid at MAcMemoryReader 2.0.4 use -d instead.In other hand, I wondering how we can "reset" or delete the passwords stored in plain text. To prevent the FireWire exploit (without shot down the machine).Do you think is possible to overwrite with another data in passwords memory locations? Thanks again.

Stefan Nowak

The readme in the newest distribution contains this:Adding the -d flag to MacMemoryReader will give verbose debugginginformation as the RAM snapshot is being written. Note that the-v flag of previous versions is no longer available ''" progressinformation is now provided by default.You may update your command line accordingly.

Chris

Nick S

MacMemoryReader has stopped working for Mavericks and Yosemite. Also, the macmemoryreader developers have moved their site to a new address: http://cyberstc.com/ with no visible way to download a new version of MMR.Are there any alternative ways to dump RAM on Mac OS X Yosemite?

"Forensics is a lot more than just imaging a drive."- Joseph Fresch, Guaranty Bank

"This course ROCKS! You can not call yourself a Forensics expert without taking the course from Rob Lee!."- Ernie Hernandez, Prosoft

"A great course on timeline, registry, and restore point forensics. SANS is continuing to be the leader on teaching new techniques happening with forensics."- Brad Garnett, Gibson County Sherrif's Dept.